Hi Dave,

the quotes around the password shouldn't be necessary (and are, in fact, 
wrong). Could you please share the error message you've got when omitting 
these quotes?

Please also post the output of the following command (it doesn't contain 
any sensitive information, just the header of the private key and 
certificate file):

head -n1 /etc/graylog/graylog-ssl/CERT.pem /etc/graylog/graylog-ssl/KEY.pem



Cheers,
Jochen

On Thursday, 7 July 2016 20:11:03 UTC+2, Dave C. wrote:
>
> Jochen, 
>
> I ran the openssl command and it returned a single line with the text: RSA 
> key ok
>
> I did have some errors prior to the current ones with Graylog not being 
> able to access the key file. Those turned out to the an incorrect 
> formatting in the server.conf file, I had to put the password in quotes to 
> get passed that error. 
>
> These are the sections of the server.conf file you asked for with the 
> private info removed: 
>
> # Enable HTTPS support for the REST API. This secures the communication 
> with the REST API with
> # TLS to prevent request forgery and eavesdropping. This is disabled by 
> default. Uncomment the
> # next line to enable it.
> rest_enable_tls = true
>
> # The X.509 certificate chain file in PEM format to use for securing the 
> REST API.
> rest_tls_cert_file = /etc/graylog/graylog-ssl/CERT.pem
>
> # The PKCS#8 private key file in PEM format to use for securing the REST 
> API.
> rest_tls_key_file = /etc/graylog/graylog-ssl/KEY.pem
>
> # The password to unlock the private key used for securing the REST API.
> rest_tls_key_password ="PASSWORD"
>
>
> # Enable HTTPS support for the web interface. This secures the 
> communication of the web browser with the web interface
> # using TLS to prevent request forgery and eavesdropping.
> # This is disabled by default. Uncomment the next line to enable it and 
> see the other related configuration settings.
> web_enable_tls = true
>
> # The X.509 certificate chain file in PEM format to use for securing the 
> web interface.
> web_tls_cert_file = /etc/graylog/graylog-ssl/CERT.pem
>
> # The PKCS#8 private key file in PEM format to use for securing the web 
> interface.
> web_tls_key_file = /etc/graylog/graylog-ssl/KEY.pem
>
> # The password to unlock the private key used for securing the web 
> interface.
> web_tls_key_password ="PASSWORD"
>
> Thanks for the help. 
> --Dave C. 
>
> On Thursday, July 7, 2016 at 3:13:12 AM UTC-5, Jochen Schalanda wrote:
>>
>> Hi Dave,
>>
>> the error message looks like the private key is in an incompatible or 
>> invalid format which Graylog can't process.
>>
>> Could you please share your Graylog configuration (the rest_* and web_* 
>> settings should be sufficient) and the output of the following OpenSSL 
>> command:
>>
>> openssl rsa -noout -check -inform pem -in /path/to/private.key
>>
>>
>> Cheers,
>> Jochen
>>
>> On Wednesday, 6 July 2016 21:42:47 UTC+2, dave...@gmail.com wrote:
>>>
>>> All, 
>>>
>>> I have been working on setting up a test instance of Graylog 2.0 for 
>>> several weeks now and I can't seem to make any progress with implementing 
>>> SSL. I have seen a few other posts asking about converting java wallets to 
>>> the new set up of cert and key pair but that doesn't apply I have a new 
>>> cert from a CA. I am pretty sure I have the cert in the correct encoding 
>>> "X.509 certificate with PEM encoding" that the documentation 
>>> <http://docs.graylog.org/en/2.0/pages/configuration/https.html>asks 
>>> for. I can use the command "openssl x509 -in cert.pem -text -noout" to 
>>> see the contents of the cert without issue. I can get Graylog 2.0 
>>> running with no SSL and with self generated certs but when I use the certs 
>>> from the CA I keep getting the errors below in 
>>> /var/log/graylog-server/server.log when I try to start Graylog 2.0, I can 
>>> send more of the log if needed. This is installed on Oracle Linux Server 
>>> release 6.7 with Graylog 2.0, Elasticsearch, and MongoDB installed from 
>>> their respective yum repos. Any advice would be greatly appreciated, I'm 
>>> just spinning my wheels at this point. 
>>>
>>>
>>> 2016-07-06T14:02:42.862-05:00 ERROR [ServiceManager] Service 
>>> WebInterfaceService [FAILED] has failed in the STARTING state.
>>> java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag 
>>> = 48)
>>>         at 
>>> sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253) 
>>> ~[?:1.8.0_73]
>>>         at 
>>> sun.security.util.DerInputStream.getOID(DerInputStream.java:281) 
>>> ~[?:1.8.0_73]
>>>         at 
>>> com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
>>>  
>>> ~[sunjce_provider.jar:1.8.0_71]
>>>         at 
>>> java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) 
>>> ~[?:1.8.0_73]
>>>         at 
>>> sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) 
>>> ~[?:1.8.0_73]
>>>         at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) 
>>> ~[?:1.8.0_73]
>>>         at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) 
>>> ~[?:1.8.0_73]
>>>         at 
>>> javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
>>>  
>>> ~[?:1.8.0_71]
>>>         at 
>>> org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> org.graylog2.initializers.WebInterfaceService.startUp(WebInterfaceService.java:46)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
>>>  
>>> [graylog.jar:?]
>>>         at 
>>> com.google.common.util.concurrent.Callables$3.run(Callables.java:100) 
>>> [graylog.jar:?]
>>>         at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
>>> 2016-07-06T14:02:42.896-05:00 ERROR [InputSetupService] Not starting any 
>>> inputs because lifecycle is: Uninitialized [LB:DEAD]
>>>
>>> 2016-07-06T14:02:42.941-05:00 ERROR [ServiceManager] Service 
>>> IndexerSetupService [FAILED] has failed in the STOPPING state.
>>> java.lang.IllegalStateException: Can't move to started state when closed
>>>         at 
>>> org.elasticsearch.common.component.Lifecycle.moveToStarted(Lifecycle.java:130)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> org.elasticsearch.transport.TransportService.doStart(TransportService.java:182)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:68)
>>>  
>>> ~[graylog.jar:?]
>>>         at org.elasticsearch.node.Node.start(Node.java:278) 
>>> ~[graylog.jar:?]
>>>         at 
>>> org.graylog2.initializers.IndexerSetupService.startUp(IndexerSetupService.java:114)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
>>>  
>>> [graylog.jar:?]
>>>         at 
>>> com.google.common.util.concurrent.Callables$3.run(Callables.java:100) 
>>> [graylog.jar:?]
>>>         at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
>>>
>>>
>>> 2016-07-06T14:02:43.202-05:00 ERROR [ServiceManager] Service 
>>> RestApiService [FAILED] has failed in the STOPPING state.
>>> java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag 
>>> = 48)
>>>         at 
>>> sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253) 
>>> ~[?:1.8.0_73]
>>>         at 
>>> sun.security.util.DerInputStream.getOID(DerInputStream.java:281) 
>>> ~[?:1.8.0_73]
>>>         at 
>>> com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
>>>  
>>> ~[sunjce_provider.jar:1.8.0_71]
>>>         at 
>>> java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) 
>>> ~[?:1.8.0_73]
>>>         at 
>>> sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) 
>>> ~[?:1.8.0_73]
>>>         at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) 
>>> ~[?:1.8.0_73]
>>>         at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) 
>>> ~[?:1.8.0_73]
>>>         at 
>>> javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
>>>  
>>> ~[?:1.8.0_71]
>>>         at 
>>> org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> org.graylog2.shared.initializers.RestApiService.startUp(RestApiService.java:65)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
>>>  
>>> [graylog.jar:?]
>>>         at 
>>> com.google.common.util.concurrent.Callables$3.run(Callables.java:100) 
>>> [graylog.jar:?]
>>>         at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
>>> 2016-07-06T14:02:43.206-05:00 ERROR [ServerBootstrap] Graylog startup 
>>> failed. Exiting. Exception was:
>>> java.lang.IllegalStateException: Expected to be healthy after starting. 
>>> The following services are not running: {STARTING=[RestApiService 
>>> [STARTING], IndexerSetupService [STARTING]], FAILED=[WebInterfaceService 
>>> [FAILED]]}
>>>         at 
>>> com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:713)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:542)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:299)
>>>  
>>> ~[graylog.jar:?]
>>>         at 
>>> org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:129)
>>>  
>>> [graylog.jar:?]
>>>         at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:209) 
>>> [graylog.jar:?]
>>>         at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?]
>>>
>>>
>>> --Dave C. 
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/3416614d-7dad-4fb1-a775-483b719fe3f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to